Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20231221143630.GD14101@suse.de>
Date: Thu, 21 Dec 2023 15:36:33 +0100
From: Marcus Meissner <meissner@...e.de>
To: OSS Security List <oss-security@...ts.openwall.com>
Subject: New SMTP smuggling attack

Hi,

As if we did not have sufficient protocol vulnerability work short before
Christmas break this year, here is one more:

	https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/

While it looks like "old stuff", this is new quality.

tldr: The end of "SMTP data phase" with "<CR><LF>.<CR><LF>" is not
consistently implemented everywhere (e.g. when leaving out <CR> or
inserting \0 or so) and could lead to one server passing it through and
the other processing it, leading to mail spoofing.

The security report it for some custom email servers, but at least
Postfix announced mitigation work already:

	https://www.mail-archive.com/postfix-users@postfix.org/msg100901.html

Ciao, Marcus

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.